The Four Element Sword Engagement

Ongoing APT activity against Tibetans, Hong Kong and Taiwanese interests

In “The Four Element Sword Engagement (Full Report)”, Arbor ASERT reveals recent ongoing APT activity likely associated with long-running threat campaigns against Tibetans, Hong Kong, Taiwanese interests and human rights workers. We presume the existence of associated malcode, dubbed the Four Element Sword Builder, which is being used to weaponize RTF documents for use in these campaigns. A sample of twelve different targeted exploitation incidents (taken from a larger set of activity) are described along any discovered connections to previously documented threat campaigns.


Indicators of Compromise (IOC’s) are available in CSV format.

Since at least late December of 2015, four vulnerabilities – CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, and CVE-2015-1770 – related to the parsing of Microsoft Rich Text File (RTF) documents are being leveraged by advanced threat actors to launch exploitation campaigns against members of the Tibetan community, along with journalists and human rights workers in Hong Kong and Taiwan. One of these vulnerabilities – CVE-2015-1641 – has been typically used in cybercrime operations starting in 2015 and has not been widely observed in use by Advanced Persistent Threat (APT) actors until recently. The vulnerabilities are being used to deliver Chinese-oriented malware payloads such as Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST.

Analysis of malware payloads, malware metadata and actor group Tactics, Techniques and Procedures (TTP’s) provides useful insight into the malware, targeting, and links to past threat actor infrastructure. Indicator overlap reveals a connection to prior exploitation campaigns against the World Uyghur Congress (WUC) from 2009-2014 as presented in 2014 at the Usenix Security Symposium. Additional indicators suggest an overlap with the actors behind “Operation Shrouded Crossbow”, as identified by Trend Micro.

This recent activity uncovered by ASERT matches pre-existing targeting patterns towards the “Five Poisons” – organizations and individuals associated with perceived threats to Chinese government rule: Uyghurs, Tibetans, Falun Gong, members of the democracy movement and advocates for an independent Taiwan. This targeting scheme, along with various malware artifacts and associated metadata, suggest that the threat actors herein have a Chinese nexus.

Additional malware following the same type of patterns described has been discovered since this report was written, and suggests that these generalized threat campaigns using weaponized RTF documents are ongoing.

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security. They have also published content related to the threat activity described herein. You may find their material at

Comments are closed.